Skip to content

opentelemetry-collector: fix GHSA-cfpf-hrx2-8rv6 by updating expr to v1.17.7 #76758

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jamie-albert wants to merge 1 commit into from
Closed

opentelemetry-collector: fix GHSA-cfpf-hrx2-8rv6 by updating expr to v1.17.7 #76758

jamie-albert wants to merge 1 commit into from

Conversation

@jamie-albert
Copy link
Member

@jamie-albert jamie-albert commented Dec 24, 2025

Summary

Fixes GHSA-cfpf-hrx2-8rv6 (CVE-2025-68156) by updating github.com/expr-lang/expr from v1.17.6 to v1.17.7.

Vulnerability Details

  • GHSA: GHSA-cfpf-hrx2-8rv6
  • CVE: CVE-2025-68156
  • Component: github.com/expr-lang/expr v1.17.6 (go-module)
  • Type: Denial of Service via unbounded recursion
  • Severity: High
  • Attack Vector: Deeply nested or cyclic data structures in builtin functions (flatten, min, max, mean, median)

Changes

  • github.com/expr-lang/expr: v1.17.6 → v1.17.7 (via go/bump)
  • Epoch: 0 → 1

Implementation

Added go/bump step after git-checkout to update the expr dependency to the patched version.

Verification

Remote scan confirms vulnerability present in 0.142.0-r0. After rebuild with go/bump, github.com/expr-lang/expr v1.17.7 will be used, resolving the vulnerability.

References

@octo-sts
Copy link
Contributor

octo-sts bot commented Dec 24, 2025

📦 Build Failed: Missing Dependency

package github.com/expr-lang/expr was not found on the go.mod file. Please remove the package or add it to the list of 'replaces'

Build Details

Category Details
Build System Go (gobump)
Failure Point go/bump step during dependency update

Root Cause Analysis 🔍

The gobump tool attempted to update the package github.com/expr-lang/expr@v1.17.7 but this package is not present in the go.mod file of the opentelemetry-collector project. The tool requires either the package to exist in go.mod or to be explicitly listed in the 'replaces' configuration.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

Suggested Changes

File: opentelemetry-collector.yaml

  • remove at line lines 23-25 (pipeline section, go/bump step)
    Original:
  - uses: go/bump
    with:
      deps: github.com/expr-lang/expr@v1.17.7

Content:

Remove the current go/bump step that is failing
  • add at line after line 21 (pipeline section, after git-checkout step)
    Replacement:
  - uses: go/bump
    with:
      deps: github.com/expr-lang/expr@v1.17.7
      modroot: .

Content:

Add go/bump step with correct modroot pointing to the main module
Click to expand fix analysis

Analysis

The pattern across all similar fixes shows that when gobump fails with "package was not found on the go.mod file", there are two main approaches: 1) Remove the problematic package from the deps list if it's not actually needed (as seen in Fix Example #1 where github.com/golang/glog was removed), or 2) Add a new go/bump step with the correct modroot path that points to where the package actually exists in the project structure (as seen in Fix Examples #0 and #2 where github.com/opencontainers/selinux was added with modroot pointing to ./projects/kubernetes/kubernetes/kubernetes). The key insight is that different modules within a multi-module Go project may have different go.mod files, and the bump operation needs to target the correct module root.

Click to expand fix explanation

Explanation

The current go/bump step is failing because it's trying to update github.com/expr-lang/expr@v1.17.7 but the default modroot is pointing to the wrong location. The opentelemetry-collector repository is a multi-module Go project, and the main go.mod file is in the root directory, not in ./cmd/builder. By adding the 'modroot: .' parameter, we explicitly tell gobump to look for the go.mod file in the root of the checked-out repository where the expr-lang/expr dependency is likely to be found. This follows the same pattern as the fixes in Examples #0 and #2, where the correct modroot path was specified to point gobump to the right module within the project structure.

Click to expand alternative approaches

Alternative Approaches

  • Remove the go/bump step entirely if the expr-lang/expr dependency update is not critical for this build
  • Add the package to a replaces section if it's a dependency conflict that needs special handling
  • Check if the dependency exists in a different module within the project and target that specific modroot path

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Dec 24, 2025
@jamie-albert
Copy link
Member Author

jamie-albert commented Dec 24, 2025

Closing - expr-lang/expr is a transitive dependency not in go.mod. Creating pending-upstream-fix advisory instead.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ai/skip-comment Stop AI from commenting on PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jamie-albert